WordPress Vulnerability Roundup: May 2019, Part 1

New WordPress plugin vulnerabilities have been disclosed this month, so we want to keep you aware.

In this post, we divide this month’s WordPress-related vulnerabilities into four different categories:

1. WordPress Core

2. WordPress Plugin

3. WordPress Themes

4. Breaches From Around the Web*

*We include breaches from around the web in this post because it’s important to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your website, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

As of this post, no WordPress core vulnerabilities have been disclosed in 2019.

2. All-in-One Event Calendar

What You Should Do

The vulnerability has been patched, and you should update to version 2.5.39.

3. W3 Total Cache

W3 Total Cache 0.9.7.3 of the plugin and below had three different vulnerabilities disclosed this month.

The first vulnerability is an SSRF exploit that can be taken advantage of using an RCE attack. The second vulnerability is a cross-site scripting attack. The third vulnerability allows a bypass of the cryptographic check.

What You Should Do

The vulnerabilities have been patched, and you should update to version 0.9.7.4.

4. Ninja Forms File Uploads Extension

Ninja Forms File Uploads Extension version 3.0.22 and below is vulnerable to an Arbitrary File Upload exploit. A site would need to have Ninja Forms installed and have the File Upload extension enabled for someone to take advantage of the exploit. Onvio reported that an attacker could execute malicious code using the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 3.0.23.

5. Ultimate Member

Ultimate Member version 2.0.45 and below is vulnerable to an Arbitrary File read and delete exploit and two different cross-scripting attacks. Sucuri reported this very serious exploit could allow an attacker to take over your website.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.0.46.

6. Custom Field Suite

Custom Field Suite version 2.5.14 and below is vulnerable to an Authenticated cross-site scripting attack. It is worth mentioning this required a user with editor or admin privileges to be logged in to take advantage of the exploit.

What You Should Do

The vulnerabilities have been patched, and you should update to version 2.5.15.

1. Antivirus Company Source Code On Sale

This is an interesting story because it shows that even antivirus companies are vulnerable to attacks. Not to mention that household names like McAfee and Norton may be the victims.

2. Alpine Linux Docker Image Vulnerability

Versions of Alpine Linux Docker images contained a NULL password for the root user. This means someone could leave the login using the root just by leaving the password blank. Docker is awesome, but it is important to remember that an image creator may not follow security best practices.

3. WhatsApp

Facebook-owned WhatsApp had a vulnerability that allowed attackers to install spyware on your phone. An attacker only needed to call you–no need for you to answer–to install surveillance software on your iPhone or Android device. What makes the exploit extra nasty is that they could remove the call from the log, removing any trace of the attack.

If you are a WhatsApp user be sure, you are using the latest version of the app.

4. OKC Public Schools

Unfortunately, schools aren’t off-limits from online evil-doers. Oklahoma City Public Schools had to close down their network due to Ransomware. As of right now, OKCPS hasn’t disclosed what information has been compromised.

May WordPress Vulnerability Roundup Wrap-Up

Just remember that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your site will leave you vulnerable to attack.

Be sure to stay tuned for Part 2 of May 2019 WordPress vulnerabilities as we compile disclosures made during the last half of the month.